Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2023, 07:16

General

  • Target

    2456675bfe2e68d6149c840b1d11dd61.exe

  • Size

    268KB

  • MD5

    2456675bfe2e68d6149c840b1d11dd61

  • SHA1

    6c22b191eeaed5024ce6e09c598ea9457865d9d7

  • SHA256

    6db833ede0af9d00bf80c1fe134e947b1ec44bff55713251669021af1d8dac20

  • SHA512

    41390fb091301277526729f8b8e7f93f277365fe5d5bfbe02e42c776d0ae0ab0cb250aef61d44c262c54026937d77e52dc2c58669b212d5188e2e37d40de981f

  • SSDEEP

    6144:vC27B0fQe1+5BMWxix39ri0vCb8aiIxJMiDmd/GnsRrsgot3W:jw0fLi/i0qbBxJh6dOn9ga3W

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

al05

Decoy

becapmuiu.xyz

wearerp.com

beautychannel.world

kuwiti.com

vex5678.com

pecanbayouwoodworks.com

lrsconcrete.com

emgje.buzz

haorizi.net

tradingbattle.net

growgram.info

zuolide.com

poliedriconsulting.com

persjateng.com

pseudlifelif.com

tgteletg.top

33changing.com

jayagrandcounty.com

thegopigirls.com

c8685.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2456675bfe2e68d6149c840b1d11dd61.exe
    "C:\Users\Admin\AppData\Local\Temp\2456675bfe2e68d6149c840b1d11dd61.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\2456675bfe2e68d6149c840b1d11dd61.exe
      "C:\Users\Admin\AppData\Local\Temp\2456675bfe2e68d6149c840b1d11dd61.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1224

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsf12D8.tmp\System.dll

          Filesize

          11KB

          MD5

          375e8a08471dc6f85f3828488b1147b3

          SHA1

          1941484ac710fc301a7d31d6f1345e32a21546af

          SHA256

          4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

          SHA512

          5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

        • memory/1224-143-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/1224-144-0x0000000077E01000-0x0000000077F21000-memory.dmp

          Filesize

          1.1MB

        • memory/1224-145-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/1224-146-0x0000000077E88000-0x0000000077E89000-memory.dmp

          Filesize

          4KB

        • memory/1224-147-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/1224-148-0x0000000001660000-0x0000000006A05000-memory.dmp

          Filesize

          83.6MB

        • memory/1224-149-0x0000000036E80000-0x00000000371CA000-memory.dmp

          Filesize

          3.3MB

        • memory/1224-150-0x0000000001660000-0x0000000006A05000-memory.dmp

          Filesize

          83.6MB

        • memory/1224-152-0x0000000077E01000-0x0000000077F21000-memory.dmp

          Filesize

          1.1MB

        • memory/3300-141-0x0000000077E01000-0x0000000077F21000-memory.dmp

          Filesize

          1.1MB

        • memory/3300-142-0x0000000010000000-0x0000000010006000-memory.dmp

          Filesize

          24KB